PatchSiren cyber security CVE debrief
CVE-2024-11158 Rockwell Automation CVE debrief
CVE-2024-11158 is a high-severity uninitialized variable vulnerability in Rockwell Automation Arena simulation software, published 2024-12-10 and last modified 2026-02-03. The flaw exists in Arena versions 16.20.00 and earlier, where a crafted DOE (Design of Experiments) file can force the software to access a variable before initialization, leading to arbitrary code execution. Exploitation requires local access and user interaction—a legitimate user must execute the malicious file. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability with low attack complexity. Rockwell Automation released Update B to this advisory on 2026-02-03, adding CVE-2025-6376 and CVE-2025-6377 while updating affected products and mitigations. The vendor recommends upgrading to Arena V16.20.09 or later as the primary remediation. Additional mitigations include avoiding untrusted model files and holding the control key during file load to prevent VBA stream execution.
- Vendor
- Rockwell Automation
- Product
- Arena
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-10
- Original CVE updated
- 2026-02-03
- Advisory published
- 2024-12-10
- Advisory updated
- 2026-02-03
Who should care
Industrial engineers, OT security teams, and organizations using Rockwell Automation Arena for discrete event simulation in manufacturing and logistics environments should prioritize patching. Organizations with bring-your-own-model workflows or external collaboration on simulation files face elevated risk due to the user-interaction dependency of this vulnerability.
Technical summary
The vulnerability stems from improper initialization of variables during DOE file parsing in Arena simulation software. When a malformed DOE file triggers access to an uninitialized variable, memory corruption occurs that can be leveraged for code execution. The attack vector is local (AV:L) with required user interaction (UI:R), meaning social engineering or file sharing is necessary for exploitation. The 2026-02-03 Update B expanded the advisory scope with additional CVEs and updated product mitigations, indicating ongoing security review of the Arena codebase.
Defensive priority
high
Recommended defensive actions
- Upgrade Rockwell Automation Arena to version 16.20.09 or later to address the uninitialized variable vulnerability
- Avoid loading untrusted Arena model files from unverified sources
- Hold the Control key when loading files to prevent automatic VBA file stream execution
- Implement Rockwell Automation security best practices for industrial control systems
- Apply Stakeholder-Specific Vulnerability Categorization (SSVC) for environment-specific prioritization
Evidence notes
Vulnerability details and remediation guidance sourced from CISA ICS Advisory ICSA-24-345-06 (Update B). Affected product version confirmed as Arena <=16.20.00. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H validated against source. Timeline reflects initial publication 2024-12-10, Update A 2025-01-09, and Update B 2026-02-03 per revision history.
Official resources
-
CVE-2024-11158 CVE record
CVE.org
-
CVE-2024-11158 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-10